Changelog (v3.26.0...v3.27.0)
- security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox state changes between renders (@fabpot)
- security #cve-2026-48805 Fix sandbox bypass in deprecated internal wrappers (@fabpot)
- security #552 Fix sandbox __toString policy bypass via dynamic mapping keys (@fabpot)
- security #535 Fix sandbox
__toStringbypasses viaTraversableinjoin/replacefilters and thein/not inoperators (@fabpot) - security #534 Fix sandbox bypass in the "column" filter under SourcePolicyInterface (@fabpot)
- feature #4817 Add a strict mode to SecurityPolicy to opt-in to the 4.0 sandbox behavior for the extends/use tags and the parent/block/attribute functions (@fabpot)
- feature #4813 Deprecate the fact that the
parent,block, andattributefunctions are always allowed in a sandboxed template (@fabpot) - bug #4812 Fix PHP 8.1+ implicit float-to-int deprecation in sandboxed array access (@fabpot)
- bug #4807 Escape root profile name in HtmlDumper (@fabpot)
- bug #4808 Restrict allowed classes in Profile::unserialize() (@fabpot)
- feature #4803 Deprecate the "Twig\Sandbox\SourcePolicyInterface" interface (@fabpot)